Method and system in a digital wireless data communication network for arranging data encryption and corresponding server

ABSTRACT

The invention concerns a method and system in a digital wireless data communication network for arranging data encryption as one-time pad encryption. The data communication network includes at least two terminal equipment, which are used to manage a set of indexed encryption keys and of these the first terminal equipment is at least a transmitter and the second terminal equipment is at least a receiver. Besides the encrypted data, the said encryption key index is transmitted to the receiving terminal equipment. The data communication network also includes a special server terminal equipment, which is arranged to manage and distribute a set of indexed encryption keys to the terminal equipment. The invention also concerns a corresponding server terminal equipment.

The invention concerns a method in a digital wireless data communicationnetwork for arranging data encryption as one-time pad encryption,wherein the data communication network includes at least two terminalequipment, wherein the terminal equipment are used for controlling a setof indexed encryption keys and of the terminal equipment the first is atleast a transmitter and the second terminal equipment is at least areceiver and wherein the data encryption is adapted to take place at thefirst terminal equipment in stages, wherein

-   -   an encryption key index is chosen,    -   the data to be transmitted is encrypted by using the encryption        key defined by the chosen encryption key index, and    -   the encrypted data is transmitted to the second terminal        equipment        and wherein correspondingly at the second terminal equipment    -   the encrypted data is received, and    -   the encrypted data is decrypted by using the chosen key        indicated by the encryption key index.        The invention also concerns a corresponding system and server        terminal equipment.

Wireless communication still lacks a simple way of implementation forachieving a good and secure encryption concept for communication to becarried on between the plenty of terminal equipment. The encryptionalgorithms used today are often very complicated for theirimplementation. In addition, the distribution of their relatedencryption information, such as, for example, encryption keys, is quiteproblematic and risky.

Encryption protocols representing the known technology are such as PGP(Pretty Good Privacy) and RSA (Rivest-Shamir-Adelman public keyencryption). However, their implementation is rather complicated andheavy, for example, for use in a wireless communication environment. Inother environments, too, their usability leaves much to be desired.

As the state of the art reference is made to patent publications U.S.Pat. No. 6,021,203 (Microsoft Corporation), WO-01/95558 A1 (Matsushita),U.S. Pat. No. 5,222,137 (Motorola, Inc.) and U.S. Pat. No. 5,483,598(Digital Equipment Corp.).

Of these publications U.S. Pat. No. 5,483,598 presents a solution basedon the use of one-time pad encryption and using a fixed secret keydistributed between the sender and the recipient and also a one-timepad, which, however, is generated, for example, from an encryptedmessage or from an encryption key flow. In fact, the system isvulnerable in this respect, because by analysing an encryptedtransmission long enough it may be possible to solve a recursivelygenerated encryption key.

From WO publication 01/74005 (Hammersmith) such a solution based onone-time pad encryption is known, which presents distribution of keys toseveral terminal equipment communicating in a fixed Internet network.Here the delivery of encryption keys is carried out mainly in connectionwith the actual communication event. The sender downloads the encryptionkey from the server and the server delivers the key also to therecipient of the message. Then the sender and receiver communicate withone another using this downloaded encryption key. This kind of 1-to-1distribution architecture, wherein one key can be used for communicationessentially with one party only, is associated, for example, in mobilestation environments, with drawbacks and limitations to do with thedistribution of encryption keys. This is why the encryption methodpresented in the publication will function moderately only incommunication between two parties, or at least in communication betweenmore parties its implementation would be very heavy in traffic terms,for example, on account of constant encryption key inquiries. Whenproceeding in this manner, encryption of group communication wouldrequire en exponentially increasing number of encryption keys. Thenumber of encryption keys is now also strongly dependent on the size ofthe group of users.

It is a purpose of this invention to bring about a method and system ofa new kind for arranging encryption in traffic of data format, whichessentially simplifies the required encryption system and improves thesecurity of key management. The characteristic features of the methodaccording to the invention are presented in claim 1, those of the systemin claim 16 and those of the server in claim 19.

The manner of implementing encryption according to the invention has anentirely opposite approach compared with the known technology, becausehere the algorithm performing encryption may be infinitely simple in itsmost advantageous form. The infinitely powerful encryption model thusbrought about is also very simple to implement. The method and systemare not concerned with the implementation of the algorithms to be usedin the encryption, which makes it possible advantageously to utilise,for example, already existing encryption algorithms.

In principle, the presented encryption method and system are entirelyinvulnerable to all encryption analysis. It can be implemented quicklyand advantageously, for example, in known cellular networks and even inexisting terminal equipment, as it can easily be merged into theircommunication software.

The method according to the invention is based on the one-time padencryption mechanism known as such providing communication betweenterminal equipment with an essentially improved security level and alsoa secure way of distributing the information used in encryption to thecommunicating terminal equipment.

The one-time pad encryption mechanism is the only theoreticallyunbreakable encryption method. The new kind of managing and distributingencryption keys for use in encryption algorithms essentially improvesthe security level of encryption and makes it entirely unbreakable inprinciple in comparison with the methods known at present for use inwireless communication. The system according to the invention includesat least one terminal equipment functioning as a server and one or moreterminal equipment communicating with one another in a datacommunication network. Special advantage is achieved with the methodaccording to the invention explicitly in communication between severalterminal equipment (1-to-N communication), wherein smooth distributionof encryption keys has been a bottleneck in the implementation offunctioning and smooth one-time pad encryption models. The terminalequipment arranged to function as a server administers the use andformation and possibly also the distribution of the encryptioninformation.

In the system, encryption information is updated for the terminalequipment from the server terminal equipment through the datacommunication network, which encryption information is used by theplenty of terminal equipment in order to encrypt their traffic. Suchencryption information may, for example, include encryption keys,according to one embodiment.

According to a first advantageous embodiment, the encryption may becarried out as complete one-time pad encryption, where an encryption keyalready used once in the communication between the terminal equipment isnot used a second time. In this way a very high security level isachieved for the encryption.

According to another advantageous embodiment, the encryption may also becarried out as partly one-time pad encryption. Hereby the sameencryption key can be used several times in the communication betweenplenty of terminal equipment, but the security level will not suffersignificantly from this. With this embodiment an advantage is achieved,for example, in such a situation, where the server terminal equipmentadministering the encryption keys is temporarily unavailable to theterminal equipment carrying out communication. Another additionalachieved advantage is that the data transmission to do with encryptioninformation is reduced significantly and that there is less need formemory capacity for the encryption information to be stored at theterminal equipment.

According to an advantageous embodiment, the updating of encryptioninformation may be done in a wireless local area network even entirelyautomatically, whereby no steps need to be taken for this by the user ofthe terminal equipment. The embodiment is especially advantageous, forexample, for encrypting communication taking place in a limited group.Hereby the updating of encryption information can be controlled by aserver terminal equipment, which transmits encryption information to theterminal equipment at its own discretion. On the other hand, theterminal equipment may also download encryption informationspontaneously depending on their need for updating at each time.

Traditionally, the distribution of encryption keys has been the Achillesheel of one-time pad encryption. In the method according to theinvention it is also possible to use even powerful encryption for theencryption of encryption keys when transferring them from the serverterminal equipment to the terminal equipment. On the other hand,transferring of keys without encryption is also possible, if thedistribution of keys is arranged, for example, in such a wireless localarea network, where it is possible to control the users having access toits carrier area.

Examples of wireless data communication networks where the invention maybe applied are solutions based on CDMA (Code Division Multiple Access),TDMA (Time Division Multiple Access) and FDMA (Frequency DivisionMultiple Access) technologies and sub-specifications based on these aswell as technologies still being developed.

Another advantageous object of application for the method and systemaccording to the invention, besides wireless communication, are massmemories, in connection with which huge quantities of sensitiveinformation are processed.

Other characteristic features of the method, system and server terminalequipment according to the invention emerge from the appended claims andmore advantages that can be achieved are listed in the description part.

The method, system and server terminal equipment according to theinvention, which are not limited to the embodiments presentedhereinafter, are described in greater detail by referring to theappended figures, wherein

FIG. 1 is a schematic view of an example of an embodiment of the systemaccording to the invention,

FIGS. 2 a and b show examples of data structures,

FIG. 3 is a flow diagram showing an example of steps in a firstembodiment of the method according to the invention in a terminalequipment transmitting with complete one-time pad encryption,

FIG. 4 is a flow diagram showing an example of steps in a firstembodiment of the method according to the invention in a terminalequipment receiving with complete one-time pad encryption,

FIG. 5 is a flow diagram showing a first example of steps in theembodiment shown in FIGS. 3 and 4 in connection with updating ofencryption information,

FIG. 6 is a flow diagram showing another manner of implementation ofencryption information updating in complete one-time pad encryption,

FIG. 7 is a flow diagram showing an example of steps in anotherembodiment of the method according to the invention in a terminalequipment transmitting and receiving with partly one-time padencryption,

FIG. 8 is a flow diagram showing another example in partly one-time padencryption in connection with updating of encryption information,

FIGS. 9 a-d show an example of a server database in updating ofencryption keys, and

FIGS. 10 a-c show an example of encryption key management after aterminal equipment has lost its security.

FIG. 1 is a schematic view of an example of an embodiment of the systemaccording to the invention. The system and method according to theinvention concern arranging of data encryption in a digital wirelessdata communication network 10, 11 in accordance with the one-time padencryption model. The data communication network 10, 11 may be awire-line network, such as, for example, an IP network (for example,Internet, Intranet, LAN) or wireless (for example, WLAN, CDMA, TDMA,FDMA, Bluetooth).

The data communication network 10, 11, which is wireless in the caseshown as an example, includes at least two terminal equipment A-Dcommunicating with one another, of which one of the terminal equipment,A, functions at least as a transmitter, whereas the other terminalequipment B functions at least as a receiver. Communication betweenterminal equipment A, B may be, for example, directly in data format,such as SMS messages or electronic mail or indirectly in data format,such as, for example, coded speech.

Furthermore, the data communication network 10, 11 includes at least onespecial server terminal equipment 13.1 equipped with connection devices14.1. For this a database dB_(M) is arranged for storing of encryptioninformation, such as indexed encryption keys. Furthermore, at the serverterminal equipment 13.1 the ID identifier of the terminal equipment A-Dsubordinated to it is stored therein, besides the said indexedencryption keys. There may also be several server terminal equipment,whereby synchronization of their databases dB_(M) may be implemented,for example, by some known method (not shown).

At the said server terminal equipment 13.1 a functionality is alsoarranged, such as, for example, program or a corresponding set ofcommands to be carried out in a processor environment, which commandsare used for managing and distributing these indexed encryption keys toother terminal equipment A-D based on the established criterion. Theserver terminal equipment 13.1, which the invention thus also concerns,may be, for example, a PC or some other such, like the terminalequipment A-D communicating with one another in the data communicationnetwork 10, 11, provided that resources are arranged for it formanaging, generating and distributing the said indexed encryption keys.

The server terminal equipment 13.1 is preferably arranged in such a waythat it is easy to supervise its physical security. One such way oflocating the server terminal equipment 13.1 is a well-protected,preferably locked place (not shown), because any data break-in thereinwould cause loss of the encryption model. The place is, for example, onthe premises of the company, organisation, user group or such carryingout the communication, where the members of the communicating group useadvantageously to visit regularly. A coffee or negotiation room or suchis presented as an example of such a room.

The terminal equipment A-D also include devices for storing andadministering a set of indexed encryption keys, devices for doing dataencryption and for decrypting the encryption by chosen algorithms and byan encryption key according to the encryption key index and at least onecarrier interface for receiving the indexed encryption keys from thedata communication network 11. For the indexed encryption keys adatabase dB_(A), dB_(B), dB_(C), dB_(D) is arranged in the memory areaof terminal equipment A-D. Administration of the encryption keys is donein the processor environment of the terminal equipment A-D by commandsperformed by a program. The method according to the invention sets nolimitations for the algorithms used in the encryption, but it maypreferably be any one based on a random encryption key. Thus, theencryption algorithm may even be quite public, such as, for example, XORsumming.

According to an advantageous embodiment, flexible distribution of theindexed encryption keys to terminal equipment C, D takes place over awireless local area network connection 11, such as, for example, WLAN(Wireless Local Area Network) or Bluetooth or over some other local datatransmission channel (IrDA, RS-232). The updating of keys may beautomated, by using, for example, Bluetooth technology, whereby it isalways performed when the users 12.3, 12.4 together with their terminalequipment C, b pay a visit to this “updating node” 11. Distribution ofencryption keys may be performed without encryption, if it is possibleto make sure that no external quarters have access to the datacommunication network 11 (for example, Bluetooth). Furthermore, also ifthe distribution of encryption keys takes place by way of an IR port ora data cable in a closed space, it is not necessary to encrypt the keys.

The encryption keys may also be encrypted when transferring them fromthe server terminal equipment 13.1 to the terminal equipment A-D. Thealgorithm for use in the encryption may be chosen rather freely,depending, for example, on the physical conditions.

As one way of performing encryption in the transfer of encryption keysthe use of one-time pad encryption may be mentioned, whereby theencryption method is used twice in a sense. Hereby the encryption ofkeys is carried out with the chosen algorithm, wherein another list ofencryption keys is used, which is especially intended for transfer ofkeys. The keys of this list again may be downloaded in terminalequipment A-D from the server terminal equipment 13.1 only through adata cable.

FIG. 2 a shows an illustrating example of a running set of indexedencryption keys S_N stored at the server terminal equipment 13.1.Indexes N to be presented as integer numbers are in the first field ofthe record, while the encryption keys S_N corresponding to index N arein the second field and are, for example, in hexadecimal form.

FIG. 2 b shows an example of a management database dB_(M) located inserver terminal equipment 13.1. The record, which corresponds to oneterminal equipment A-D, is formed by the terminal equipment A-D ID field(for example, the subscriber identifier and/or the terminal equipmentIMEI (International Mobile Equipment Identity) code, the indexes N ofthe (active) encryption keys S_N last downloaded at terminal equipmentA-D and the indexes BACKUP_N of the backup encryption keys located atthe terminal equipment A-D. The ID field must unambiguously identify theterminal equipment A-D and its user 12.1, 12.2, 12.4, 12.5. For eachterminal equipment A-D only a predetermined number of these activeencryption keys S_N can be stored (for example, 40).

In the following different embodiments of the method according to theinvention will be described, of which there are at least two differenttypes in principle. Of these only one can be used at a time in the sameterminal equipment group A-D, depending on the participants in thesystem.

FIG. 3 is a flow diagram showing an example of a first embodiment of themethod according to the invention with a transmitting terminal equipmentA. The embodiment is implemented as a complete one-time pad encryption,wherein the chosen indexed encryption key S_N is used only one time,whereupon the used encryption key S_N is deleted from every terminalequipment A-D of the system. With this method of implementation a veryhigh security level is achieved for the encryption. However, theimplementation method requires sufficient memory capacity of theterminal equipment A-D, because the lists of encryption keys to bestored in them may hereby become very long.

The user 12.1 of terminal equipment A produces in some manner a messageM, which is to be transmitted and which may be, for example, a SMS orelectronic mail message (301). When message M has been produced and user12.1 in the established way notifies terminal equipment A that he wishesto perform the transmission encrypted explicitly with one-time padencryption, terminal equipment A will according to one embodiment chooseencryption key index N from its indexed encryption key database dB_(A)arranged in its memory (302).

According to an advantageous embodiment, after the choice of encryptionkey index N terminal equipment A checks at server terminal equipment13.1 the usability of the chosen index N, for example, as a SMS message(303) through data communication network 10. The embodiment may also beimplemented without any checking procedure (303-306), because in thiscase the encryption key S_N is used only once. Furthermore, if in themethod according to the invention updating of encryption keys S_N isdone essentially simultaneously for all terminal equipment A-D, thensuch a checking procedure (303-306) is not even necessary. However, ifsome other terminal equipment B-D would happen to transmit almostsimultaneously with terminal equipment A a message encrypted with thesame encryption key S_N and server terminal equipment 13.1 has not hadthe time to do the said updating concerning encryption key S_N and sendthe relating cancelling commands (presented hereinafter) to terminalequipment A-D, then this checking procedure (303-306) is an advantageousprecautionary measure in the described embodiment.

Server terminal equipment 13.1 checks the usability of index N in itsown main database dB_(M) (304) and sends a reply to the inquiringterminal equipment A (305). Terminal equipment A receives theinformation and based on this it either accepts the encryption key indexN of its choice or chooses a new index N from its database dB_(A) forchecking in a similar manner (306).

According to another more advantageous embodiment, the procedure ofchoosing (302-305) the encryption key index N, can be performed in sucha way that the user 12.1 of the transmitting terminal equipment Aindicates the recipient B of the message M in some manner (302), ofwhich information is then relayed to server terminal equipment 13.1(303). It should be noticed that the message may also have severalrecipients B-D. Server terminal equipment 13.1 chooses from its databasedB_(M) an index N corresponding to the encryption key S_N suitable fortransmitter A and for recipient B (304) and sends information about thisto the transmitting terminal equipment A (305). This indirect embodimentis considerably more advantageous as regards the choice of index to bemade directly at terminal equipment A, because the traffic volume ishereby significantly smaller (not shown).

When a usable index N is found, terminal equipment A performs encryptionof message M using encryption key S_N corresponding to the index N justchosen for generation of the encryption bit stream (308). If encryptionkey S_N is stored encrypted in database dB_(A), its encryption isdecrypted (307′). Encryption of the message M to be transmitted may beperformed with encryption algorithms known as such, which can be run bythe processor devices of terminal equipment A.

After the encryption the encrypted message RM and index N of theencryption key S_N used in the encryption are transmitted by ways ofdata communication network 10 to the terminal equipment 12.2 of one ormore recipients B of the message (309).

FIG. 4 is a flow diagram showing an example of a first embodiment of themethod according to the invention with a receiving terminal equipment B.The flow diagram shown in FIG. 3 continues in FIG. 4. Terminal equipmentB receives message RM and index N in the known manner (401). Terminalequipment B fetches an encryption key S_N corresponding with index Nfrom its own indexed key database dB_(B) (402) and decrypts theencrypted message RM with the fetched encryption key S_N using anencryption method of a corresponding kind (404). If encryption key S_Nis encrypted, its decryption is performed before it is used (403′).Message M is shown to user 12.2 of terminal equipment B, for example, onthe display, if the message is the SMS message used in the example(405).

Immediately after terminal equipment A has, for example, sent message Mto terminal equipment B (309) and/or terminal equipment B has decryptedthe encryption of message M (404), these in the method according to theembodiment will send information on the use of the encryption key S_Ncorresponding with index N to server terminal equipment 13.1 (310, 406).

FIG. 5 is a flow diagram showing an example of measures taken inconnection with updating of encryption information with the embodimentshown in FIGS. 3 and 4. Server terminal equipment 13.1 identifiesterminal equipment A, B sending the used index N, receives the usedencryption key index N and registers it as used (501). Then serverterminal equipment 13.1 sets for the concerned index N a strikethroughflag at all terminal equipment A-D in its main database dB_(M). Acommand is sent to all terminal equipment A-D to delete thecorresponding encryption key index N from their indexed key databasesdB_(A), dB_(B), dB_(C), dB_(D) (502).

Terminals A-D receive the command to delete index N and carry out thesteps for deleting index N and the corresponding encryption key S_Nirrevocably from their database dB_(A), dB_(B), dB_(C), dB_(D)(503.1-503.3). Terminals A-D also send an acknowledgement to serverterminal equipment 13.1 of the deletion of index N (504.1-504.3), whichregisters acknowledgements (505, 506). When the deletion has beenacknowledged by all terminal equipment A-D receiving the deletioncommand, server terminal equipment 13.1 finally deletes the encryptionkey S_N corresponding to index N also from its own main database dB_(M)(507).

The embodiment presented above requires that deletion commands be sentto every terminal equipment A-D (502) and in consequence of theirimplementation acknowledgement to be sent from terminal equipment A-D toserver 13.1 after the deletions (504.1-504.3). This may possibly resulteven in heavy traffic. If one or more terminal equipment A-D areunavailable to data communication network 10, 11, then synchronizationof encryption key lists dB_(A), dB_(B), dB_(C), dB_(D) may also in thiscase become problematic. In principle, if server terminal equipment 13.1is not in use, then so are also the other communicating terminalequipment A-D at least after they run out of active encryption keys.

FIG. 6 is a flow diagram showing another way of implementation forcarrying out updating of encryption information. In this case, thetransmission-reception procedure shown in FIGS. 3, 4 and 5 ends with thetransmission of information to server terminal equipment 13.1 on the useof index N (310, 406) and with its registration at server terminalequipment 13.1 (501). In this embodiment, the choice steps or the stepsof checking the usability of index N as shown in FIG. 3 (302-306) are ofan essential importance.

In this embodiment, the updating of indexed encryption keys S_N used incomplete one-time pad encryption is performed in accordance with theestablished criterion either at the request of terminal equipment A-D orin an automated manner by server terminal equipment 13.1. This ispreferably done over a wireless local area network connection 11, forexample, at the time when user 12.1, 12.2, 12.3, 12.4 arrives with histerminal equipment A-D on the premises of the business organisation orin some other controlled area.

Terminal equipment C opens a data communication connection with serverterminal equipment 13.1 and vice versa (601.1, 601.2). Server terminalequipment 13.1 sends to terminal equipment C a list of the usedencryption key indexes N, which the deletion command concerns (602).

Terminal equipment C receives the list of encryption keys, which thedeletion command concerns, and updates its own database dB_(C) inaccordance with the received data (603). It is essential in connectionwith the updating, that the used encryption keys S_N are deletedpermanently from the database dB_(C) of terminal equipment C. Terminalequipment C will notify if this was not done even as the connection wasset up (601.1, 601.2), its own identity symbol ID (604) and at the sametime acknowledges the deletions it has made in its database dB_(C).Server terminal equipment 13.1 generates with its arranged softwareindexed encryption keys S_N into its own main database dB_(M) based onthe identity information ID it has received into its recordcorresponding to terminal equipment C, as many as there is space in thedatabase dB_(C) of terminal equipment C for active indexed encryptionkeys S_N (605, 606) or based on some other advantageous criterion.

One example of forming such a criterion is that server terminalequipment 13.1 estimates the number of encryption keys used by terminalequipment A-D and based on this information it distributes encryptionkeys to each terminal equipment A-D according to their consumption ofencryption keys. For this reason, different terminal equipment A-D mayhave a different number of encryption keys in their memories. Thus,server terminal equipment 13.1 may optimize the number of encryptionkeys, for example, according to the size of the user group and frequencyof use. Hereby, for example, if there are many terminal equipment, butencrypted communication takes place seldom between them, it issufficient to distribute only a few encryption keys at a time to eachterminal equipment.

At some stage of the procedure server terminal equipment 13.1 performs acheck in its database dB_(M) to find if in connection with the updatingof terminal equipment C such encryption keys occurred, which were setfor deletion and concerning the deletion of which an acknowledgementwould have arrived from all terminal equipment A-D. If such are found,an irrevocable deletion of these encryption keys is carried out atserver terminal equipment 13.1 (not shown).

After the generation of indexes N and corresponding encryption keys S_Nand the storing in database dB_(M), server terminal equipment 13.1 sendsindexed encryption keys S_N to terminal equipment C (607), whichreceives them correspondingly (608). Terminal equipment C stores theindexed encryption keys S_N it has received in its own database dB_(C)(1°, 609). As many encryption keys S_N are preferably downloaded at oneupdating time as is possible within the memory resources of terminalequipment C. This is done to compensate for the fact that althoughterminal equipment A-D would come very seldom for downloading ofencryption keys S_N, it would still have enough encryption keys S_N forcarrying out the communication. On the other hand, server terminalequipment 13.1 may also optimize the number of encryption keys to bedownloaded at terminal equipment C in accordance with the establishedcriteria.

According to an advantageous embodiment, terminal equipment C may alsoencrypt the encryption keys S_N it has received, for example, with acode set by user 12.3 or with a PIN (Personal Identity Number)identifier, which is fetched from the SIM (Subscriber Identity Module)card without any steps taken by user 12.3 (2°, 608′). Correspondingly,before performance and/or decryption of the data encryption theencryption of encryption keys S_N must hereby be decrypted. The updatingprocedure is completed by closing down the connections from terminalequipment C to server terminal equipment 13.1 and vice versa (610.1,610.2).

After stage (610.1), terminal equipment C may send a list of encryptionkey indexes N to be deleted to the established terminal equipment D,which updates its own database dB_(D). Correspondingly, if terminalequipment D visits server 13.1 to fetch the updated list of encryptionkey indexes, it will relay it to terminal equipment C. In this way it ispossible to reduce further the number of necessary updatingcommunication (not shown).

In the embodiment the data transmission relating to the use and updatingof encryption keys S_N can be kept at a moderate level. At serverterminal equipment 13.1 a strikethrough flag can be set, and theinformation on the use of encryption keys S_N is stored at serverterminal equipment 13.1 only. The index list of encryption keys S_N tobe deleted is only sent when terminal equipment A-D starts the updatingdelivery of encryption keys.

Such an advantage is also achieved with the embodiment that two terminalequipment A, B may communicate with each other even in such a case whenthey fail to establish a connection with the server terminal equipment13.1. However, the security of the system is hereby poorer, because theencryption key may then already be used. In fact, advantageoussituations for using this mode are emergency situations in particular,such as a situation where the encryption infrastructure has broken down.

FIG. 7 is a flow diagram showing an example of another embodiment of themethod according to the invention with a transmitting and receivingterminal equipment A, B. In this embodiment, encryption is carried outas partial one-time pad encryption, where the same encryption key S_Nmay be used at least twice. An example of such repeated use, besides theencryption of messages presented above, is encryption of a voice call byusing a symmetrical algorithm.

In partial one-time pad encryption the same encryption keys S_N may beused several times. User 12.1 uses terminal equipment A to produce, forexample, a SMS message (701). Further, terminal equipment A choosesindex N from its database dB_(A) (702). In this connection it is alsopossible to perform the check or selection procedure of index N shown inFIG. 3 (302-306), if this is necessary or possible. Now every terminalequipment A-D maintains in order to avoid problems caused bysynchronization or downtime of server terminal equipment 13.1, cycleinformation TUSE_N of encryption keys S_N, which these have used withoutany acknowledgement made to server terminal equipment 13.1. Herebyinformation is also maintained at server terminal equipment 13.1 on thetotal cycles USE_N of the encryption keys.

As terminal equipment A chooses index N, the cycle variable TUSE_N ofthe individual terminal equipment is increased (703). The encryption ofmessage M, the transmission to terminal equipment B and the receptionthere all take place in the manner described in the foregoing (704-706).The terminal equipment B may also be used to increase the correspondingcycle variable TUSE_N (708). The remaining stages, such as thedecryption of message M (708-709) and its presentation to user 12.2(710) may proceed in a corresponding manner as in the complete one-timepad embodiment described above.

With the partial one-time pad encryption embodiment the advantage isachieved that the synchronization of the databases dB_(A), dB_(B),dB_(C), dB_(D) of terminal equipment A-D is without problems and theneed for memory capacity of databases in the terminal equipment A-D isconsiderably smaller than in complete one-time pad encryption.

FIG. 8 is a flow diagram showing an example of updating of theencryption information for the partial one-time pad encryption shown inFIG. 7.

When a connection is possible from the terminal equipment D to beupdated to server terminal equipment 13.1, it is set up in bothdirections in the known manner (801.1, 801.2). Terminal equipment Dtransmits the values of one or more of its indexes TUSE_N with theestablished criterion to server terminal equipment 13.1 (802) and setsthem at zero (804). The said criterion may be, for example, TUSE_N>0.

At the server terminal equipment 13.1 the total number of cycles USE_Nof the corresponding one or more indexes N is increased by the receivedTUSE_N value (803). If USE_N exceeds the limit value MAX (805)established for it, a strikethrough flag is set for index N in order todelete it from the list of encryption keys (806). Thereupon and even inthe case that the maximum cycle condition is not fulfilled, it ispossible to proceed, for example, in the manner shown in FIG. 6 startingfrom stage (602).

With this embodiment an advantage is achieved in that it is notnecessary to update all terminal equipment A-D after the use of eachencryption key S_N. Although the same encryption key S_N may hereby beused several times, the security level of the encryption method will notsuffer significantly, because a limited value may be established for thenumber of repetitions of the encryption keys S_N, such as, for example,TUSE_N<4. However, repetition of the encryption keys S_N may makepossible a partial decryption of the individual key S_N by statisticmethods (for example, by studying the differences between messages), buteven in the worst case it is then possible to decrypt only TUSE_Nmessages. Thus, decryption of one encryption key S_N will not damage thesecurity of the system as a whole. If desired, TUSE_N=1 may beestablished, for example, for every third key S_N, whereby the mostsensitive messages may be sent by using these keys and in this way makesure that no repetition of keys S_N will take place in these cases.

In the following, management of encryption keys with the server terminalequipment 13.1 will be explained as a possible embodiment. With thesoftware arranged at server terminal equipment 13.1 the aim is in everycycle of encryption key S_N generation to bring about the maximum numberof active encryption keys S_N, which are thus distributed to theterminal equipment A-D. In addition to this, at the server terminalequipment 13.1 all permutations of the remaining encryption keys aremaintained as BACKUP keys in database dB_(M). These can preferably bearranged as a Hash data structure. Hereby at least one encryption keyalways exists for use in the communication between all terminalequipment and several encryption key pairs exist for some terminalequipment pairs. It is also possible to store more than one version ofeach permutation, but the BACKUP list will then grow large in size.

FIG. 9 a shows a situation by way of example of an active encryption keylist S_N and a BACKUP list, which lists are stored at server terminalequipment 13.1 and form a part of database dB_(M). It should be notedthat the example is not concerned with actual encryption keys S_N butwith the indexes N corresponding to these. Each line corresponds to oneterminal equipment A-D. The BACKUP keys BACKUP_N are in this situationin the early end of the list and they are followed by active, keys S_N.It should be noted that the set-up may also be the other way round,because the list is arranged as a running list in principle. Hereby,when the list is “full”, generation of active keys S_N will again startfrom its beginning. In the said situation, the indexes of terminalequipment A's BACKUP keys are BACKUP_N={7, 9, 10, 11, 12, 14, 16, 19,22, 28, 29, 32, 33, 34, 35} while the indexes of the actual active keysare N={36, 37, 38, 39, 40, 41, 42}.

FIG. 9 b shows an example, when terminal equipment B is in an updatingconnection with server terminal equipment 13.1. New encryption keys S_Nare generated each time when server terminal equipment 13.1 is inconnection with terminal equipment B. In this example, the number ofactive encryption keys is limited to 10. In this case, server terminalequipment 13.1 generates for terminal equipment B one new encryption keyS_N, whose N=46. Generally speaking, it is possible and advantageous togenerate as many keys S_N as possible within the maximum number ofactive keys S_N. In order to keep the number of active encryption keysS_N within the established limitation (≦10), one of these keys must bedestroyed. In this case the key to be destroyed is the oldest one of theactive keys, that is, key 36, which is now the active key S_N forterminal equipment A, C, D.

FIG. 9 c shows the following stage, where the BACKUP list is searchedpreferably for the oldest BACKUP key as the common key for terminalequipment A, C, D. Nothing prevents one from also choosing some otherkey meeting the said criterion, but this oldest key is the best one,because hereby the list of encryption keys can be arranged as a circularand running list, reducing the terminal equipment A-D need for memorycapacity for storing keys.

For the chosen key, whose N=12, a strikethrough flag is set at server13.1 and a deletion command directed at it is also transmitted to allterminal equipment A, C, D. It should be noted, however, that there isno certainty for terminal equipment A, C, D as regards theimplementation of deletion until the concerned terminal equipment A, C,D is once again updated by server terminal equipment 13.1. However, thiskey 12 should no longer be used for encryption of the communication ofterminal equipment A, C, D.

FIG. 9 d shows a situation, where terminal equipment A is now the one inconnection with server 13.1 for updating of its key list. For theterminal equipment a new key N=46 is downloaded, and at the same timethe success of deletion of key N=12 is ensured. The list of active keysmay be transferred to start with key 37, whereby the BACKUP list ischanged correspondingly. The BACKUP list is examined for encryption keysfor terminal equipment A and it is searched for duplicate occurrences ofencryption keys. It is found that 7, 34, 35 are common BACKUP keys forthe terminal equipment pairs AD. It is hereby most advantageous to set astrikethrough flag for key 7, to delete it from terminal equipment A andto leave keys 34 and 35 remaining in storage.

The encryption protocol according to the invention is made unique by thefact that no capacity for one-time pad encryption is lost, although oneor more terminal equipment disappear, are stolen or have their securitystatus broken down in some other way. This is made possible by the useof the above-mentioned BACKUP keys. Although the lists of encryptionkeys must be updated as quickly as possible in such a situation, it isstill possible that the other terminal equipment can continue with theirsecured data communication at least for some time.

When the security level of some terminal equipment suffers essentially,for example, because terminal equipment B is stolen, the encryption keysS_N actively in use by terminal equipment B, which has lost itssecurity, can be set at server terminal equipment 13.1 for deletion fromuse by the other terminal equipment A, C, D. Hereby those BACKUP keys(FIG. 2 b) stored in terminal equipment A, C, D, which have already beencertainly deleted from terminal equipment B, which has lost its securitystatus, are put into use for a time until new active encryption keys S_Nhave been generated and updated for terminal equipment A, C, D.

FIGS. 10 a-10 c show an example of such a case, where one terminalequipment A-D loses its data security because, for example, it is stolenor lost. FIG. 10 a shows the initial situation. If terminal equipment Bloses its security status, then the active keys and BACKUP keys storedtherein must be deleted immediately from use by the other terminalequipment A, C, D (FIG. 10 b).

It is seen in FIG. 10 c that terminal equipment A, C, D can stillcontinue at least to some extent with their secured communication. TheBACKUP keys common to all terminal equipment A, C, D are 12, 29 and 32.Keys common to terminal equipment A and C are 7, 34 and 35, while thekey common to terminal equipment C and D is 8. There is now no activelist and it must in fact be generated as soon as possible.

However, there is always a small number of BACKUP keys in practice. Itis also possible though that some terminal equipment A-D runs out ofactive encryption keys S_N even in quite ordinary communication. Then asolution could be to allow use of BACKUP key pairs in the communicationbetween terminal equipment A-D.

The size of the memory space to be reserved at terminal equipment A-Dfor the encryption keys S_N depends both on the memory capacity providedby terminal equipment A-D and on several factors, such as for example,how often the system is used and how often terminal equipment A-D arebrought in for updating on an average, so it may even vary much.

Such an advantage is especially achieved with the invention that thedisappearance, theft or other broken security of one or more terminalequipment A-D will not result in a final loss of data security for theuser 12.1, 12.2, 12.3, 12.4 (as would happen in the case ofdisappearance of a terminal equipment equipped with a private PGP key),because a new encryption key can be generated in a simple way. For thisreason, the encryption model according to the invention is well suitedfor mobile terminal equipment, which are easily lost or stolen.

According to one more advantageous embodiment, updating of encryptionkeys S_N for terminal equipment A-D may be done in such a way that theyare not necessarily given all the encryption keys S_N generated byserver terminal equipment 13.1. Hereby one or more encryption keys S_Nmay not be distributed based on an established criterion. One suchcriterion could be such that, for example, after each encryption keyindex N divisible by 30 so many encryption keys are reserved forterminal equipment AB, AC, AD, BC, BD, CD in pairs as they can formpairs. Hereby an encryption key S_N corresponding to each index N isdistributed to one terminal equipment pair only.

Such an embodiment is also possible and can easily be deduced from theformer, where there are not necessarily any entirely common encryptionkeys for the terminal equipment A-D, but the procedure of the kindpresented above is implemented, for example, in some periodic manner.For BACK_UP keys, too, a similar key implementation in pairs only can beapplied, where they have a separate table of their own.

Furthermore, the encryption keys S_N need not necessarily be in pairs,but the method may also be implemented in such a way that all terminalequipment but one get a certain encryption key. Hereby in the case ofterminal equipment N the encryption key may be, for example, shared inthree, four, five, . . . , N−1.

By such a division in advance of encryption keys S_N into partialgroups, where only some keys S_N are distributed to some terminalequipment A-D, such an advantage is achieved, among others, that whenthe security level of a terminal equipment A becomes essentially poorer(for example, when it is stolen), there is no need to move over to thealready presented reuse of encryption keys S_N, which may have adetrimental effect on the security level of encryption. Now the terminalequipment B-D with unchanged security level may continue with theirsecured communication, because they still have secured encryption keypairs with each terminal equipment B-D.

In addition, although the foregoing contains a presentation ofcommunication between two terminal equipment A-D as an applicationexample, the method according to the invention may be generalizedstraightforwardly for 1-to-N group communication between severalterminal equipment A-D. The method according to the invention herebyprovides an especially functioning and smooth implementation forcarrying out the one-time pad encryption model, because in the methodaccording to the invention the number of encryption keys need notnecessarily depend, for example, on the size of the group of users12.1-12.4.

In principle, the encrypted data may be any kind of digital informationfrom electronic mail to GSM-encrypted speech, but since media-richinformation consumes one-time pads at a higher rate, the invention ismost advantageous in text messages, such as GSM-SMS communication,electronic mail or in simple images, such as maps (for example MMS).

The invention is ideal, for example, in such situations where businessenterprises have international operations, transporting vehicles orlarge business premises, which are likely to be visited regularly by allusers 12.1, 12.2, 12.3, 12.4 with their terminal equipment A-D.

A situation where the method according to the invention can be used byway of example is one where a company employee asks the main office forinstructions in contract negotiations. Another example is a guardreceiving a SMS message containing the address of an emergency object.

Other potential user groups for the method and system according to theinvention are, for example, travelling representatives of companies,valuable transporting vehicles, vehicle fleets of taxi, ambulance andsecurity firms, law offices and medical use (confidential remoteconsultation), personnel of airports, oil-drilling rigs, prisons andnuclear power stations and government use. Other examples of applicationobjects are bank transactions over the telephone, whereby the Bluetoothhub may be located at the bank office; m-Commerce, that is, mobilecommerce, whereby the Bluetooth hub may be located in a departmentstore, at grass-root level, in private use of human rights and othergroups, etc.

It should be understood that the above explanation and the relatingfigures are only intended to illustrate the method and system accordingto the present invention. Thus, the invention is not limited only to theembodiments presented above or those defined in the claims, but manysuch different variations and modifications will be obvious to the manskilled in the art, which are possible within the scope of the inventiveidea defined by the appended claims.

1. Method in a digital wireless data communication network for arrangingdata encryption as one-time pad encryption, wherein the datacommunication network includes at least two terminal equipment (A, B),which terminal equipment (A, B) are used for managing a set of indexedencryption keys (SN) and the first terminal equipment (A) is at least atransmitter and the second terminal equipment (B) is at least a receiverand wherein the data encryption is adapted to take place at the firstterminal equipment (A) in stages, wherein an encryption key index (N) ischose the data (M) to be transmitted is encrypted by using theencryption key defined by the chosen encryption key index (N) and theencrypted data (RM) is transmitted to the second terminal equipment (B)and wherein, correspondingly, the second terminal equipment (B) is usedfor receiving the encrypted data (RM) and decrypting the encrypted data(RM) by using the chosen key (S_N) indicated by the encryption key index(N), characterized in that, besides the encrypted data (RM), the saidencryption key index (N) is transmitted to the receiving terminalequipment (B) and the data communication network also includes a specialserver terminal equipment, which is arranged to manage and distribute aset of indexed encryption keys (S_N) to the terminal equipment (A, B).2. Method according to claim 1, characterized in that, besides the saidindexed encryption keys (S N), the identifier (ID) of its subordinatedterminal equipment (A, B) is stored at the server terminal equipment,and wherein when updating a terminal equipment (A, B) at server terminalequipment the terminal equipment (A, B) to be updated is identified fromthe terminal equipment (A, B) at least one used encryption key index (N)is received, and based on an established criterion a command istransmitted to one or more terminal equipment (A, B) to delete thecorresponding one or more encryption key indexes (N), and which is usedto delete irrevocably the chosen index at the said terminal equipment(A, B).
 3. Method according to claim 2, characterized in that with oneor more terminal equipment (A, B, C) the following sub-stages are alsoconnected with the updating the said commands are received and carriedout in order to delete the said one or more encryption key indexes (N),acknowledgements are transmitted to the server of the deletion of one ormore encryption key indexes (N).
 4. Method according to claim 3,characterized in that furthermore in connection with updating at serverterminal equipment acknowledgements by at least one terminal equipment(A, B) are received of the deletion of one or more encryption keyindexes (N) and based on an established second criterion, one or moreencryption key indexes (N) are deleted finally.
 5. Method according toclaim 1, characterized in that the encryption key index (N) is chosen bythe transmitting terminal equipment (A), after which choice the terminalequipment (A) inquires from the server terminal equipment about theusability of the chosen index (N), and based on the information given iteither approves the chosen index or chooses a new index for checking. 6.Method according to claim 1, characterized in that the encryption keyindex (N) is chosen by the server terminal equipment, whereby thetransmitting terminal equipment (A) inquires from the server terminalequipment about the valid index (N), when transmitting to the receivingterminal equipment.
 7. Method according to claim 1, characterized inthat, the chosen encryption key (SN) is used only once.
 8. Methodaccording to claim 7, characterized in that as one sub-stage at leastone of the communicating terminal equipment (A, B) immediately transmitsinformation on the use of the encryption key index (N) to the serverterminal equipment.
 9. Method according to claim 1, characterized inthat the encryption key (SN) corresponding to the said encryption keyindex (N) is used at least twice, whereby the terminal equipment (A, B)is used to maintain cycle information (TUSE N) on each used index (N)and the server terminal equipment is used to maintain total cycleinformation (USE N) on the indexes (N).
 10. Method according to claim 9,characterized in that in connection with the updating of terminalequipment (A, B) at the server terminal equipment is used before thesaid deletion command also for receiving from terminal equipment (A)cycle information (TUSEN) of at least one used encryption key index (N),the received cycle information (TUSE N) is summed into the total cycleinformation (USE N), and the total cycles (USE N) of the said one ormore indexes (N) are compared with an established criterion value (MAX),based on which a decision is taken to carry out the said command todelete the index (N).
 11. Method according to claim 1, characterized inthat in addition at server terminal equipment when updating theencryption keys (SN) of terminal equipment (A, B) at least one newencryption key index (N) is added to the terminal equipment (A, B) to beupdated, a corresponding encryption key (S N) is generated for one ormore added indexes (N), one or more indexes (N) and the correspondingencryption key (S N) are transmitted to the terminal equipment (A, B) tobe updated.
 12. Method according to claim 11, characterized in that atthe server terminal equipment said encryption keys are generated in sucha way that after the updating measures the terminal equipment (A, B) tobe updated has at least one common encryption key (SN) with every otherterminal equipment C, D).
 13. Method according to claim 1, characterizedin that the encryption keys (S_N) stored at the terminal equipment (A,B) are encrypted, whereby the encryption is decrypted before the dataencryption is carried out and/or decrypted.
 14. Method according toclaim 1, characterized in that the encryption keys (S_N) are transferredencrypted from server terminal equipment to the terminal equipment(A-D).
 15. Method according to claim 1, characterized in that when thesecurity status of some terminal equipment (B) breaks down according tothe established criterion, those encryption keys (S_N) are deleted fromuse, which are used at the corresponding terminal equipment (B). 16.System in a digital wireless data communication network for arrangingdata encryption as one-time pad encryption, which data communicationnetwork includes at least two terminal equipment (A, B) includingdevices for storing and managing indexed encryption keys (S_N), devicesfor carrying out data encryption and for decrypting the encryption witha chosen algorithm and with an encryption key (S-N) according to theencryption key index (N), at least one bearer interface for receivingindexed encryption keys (S_N), characterized in that at least one of theterminal equipment belonging to the data communication network functionsas a special server terminal equipment, which manages and distributesencryption keys (S_N) to the other terminal equipment (A, B) accordingto an established criterion.
 17. System according to claim 16,characterized in that the distribution of indexed encryption keys (S_N)to the terminal equipment (A, B) takes place over a wireless local areanetwork connection, such as, for example, WLAN (Wireless Local AreaNetwork) or Bluetooth.
 18. System according to claim 16, characterizedin that the distribution of indexed encryption keys (S-N) to theterminal equipment (A, B) takes place over a local data communicationconnection, such as, for example, IRDA (Infrared Data Association) orthrough a data cable connection.
 19. Server terminal equipment in adigital wireless data communication network for arranging dataencryption as one-time pad encryption, characterized in that at theserver terminal equipment a set of indexed encryption keys (SN) isarranged as well as a functionality for management and distribution ofthe indexed encryption keys (S N).
 20. Server terminal equipmentaccording to claim 18, characterized in that at the server terminalequipment a functionality is arranged for optimizing the number ofencryption keys (S_N) to be distributed to the terminal equipment (A-D)according to the current situation of use.